What to do about increasing insider threats

What to do about increasing insider threats

October 15, 2014


by Shane Sims and Neal Pollard.

Hackers, nation-states, and organized crime are the threat actors that everyone loves to hate. While businesses cite employees as the number-one source of cyber compromises, insider incidents rarely get the same media attention as those committed by the “bad guys.” Insiders often fly under the radar and may be very difficult to root out because the perpetrators have trusted—and often privileged—access to networks and data. Internal incidents also can be more damaging than those caused by external threat actors, in part because insiders may know exactly where critical assets are stored, how to access them, and how to side-step security measures.

It’s a growing problem. In this year’s Global State of Information Security® Survey 2015, respondents reported that incidents attributed to current and former employees are higher than ever. The number of respondents who point the finger at current employees climbed to 35%, and incidents attributed to former employees increased to 30% this year.

Yet, despite these self-reported increases, implementation of important safeguards to help prevent and detect employee incidents is declining. Consider, for instance, privileged user access. Privileged accounts are a particular risk because they offer wrongdoing employees open access to an organization’s most sensitive data and systems. But not all incidents are the result of ill intent: Cyber adversaries often employ convincing spear-phishing tactics to steal the credentials of privileged users and gain broad access to the organization’s systems and sensitive data. These are known risks, yet only 56% of survey respondents said they employ privileged user-access tools, down from 65% in 2013.

Keeping tabs on user activities can help detect anomalies that may indicate suspicious behavior. Yet only 55% of respondents said they employ user-activity monitoring tools, a decrease from 60% last year. And even the most basic of employee due-diligence processes is waning. This year, 55% of respondents said they conduct personnel background checks during the hiring process, a drop from 62% in 2013. Finally, the weakest link in the cybersecurity chain is often human, and that makes employee training and awareness essential to every security program. So it’s worrisome to find that the number of organizations that have an employee security awareness and training program dropped to 51%, down from 60% in 2013.

A lack of due diligence into third parties

While current and former employees are the source of most internal compromises, business partners with trusted access can also commit, or even unwittingly facilitate, insider cybercrime. You need only consider last year’s high-profile government-contractor data leaks and retailer breaches to understand the potential for damage.

Survey results show that incidents attributed to current and former service providers, consultants, and contractors increased to 18% and 15%, respectively, in 2014. While the frequency of incidents caused by trusted third parties is not as high as those attributed to employees, the risk is compounded by the fact that many organizations do very little to assess the cybersecurity practices and capabilities of external partners. In fact, due diligence of third parties with trusted access to networks and data seems to be falling out of favor.

A look at the survey numbers shows that 55% of organizations said they have security baselines for external partners, suppliers, and vendors. That’s down from 60% in 2013. In fact, many organizations may not even know what partners have access to their sensitive customer and employee data, since only half said they have an inventory of all third parties that handle this type of information. Slightly more (54%) said they require third parties to comply with privacy policies, down from 58% in 2013. A final troublesome trend is the finding that only 50% of organizations perform risk assessments on third-party vendors, down from 53% last year.

How you can tackle insider threats

Reducing cybercrimes committed by internal actors will demand that organizations develop an insider-threat management program that is aligned and integrated with their business, cybersecurity, and data-protection strategies. In doing so, it’s important to understand that insider risks cannot be managed by the IT, information security, or corporate security business functions alone. Nor can technology itself forestall insider threats. Effective management will require a disciplined, cross-functional approach that includes IT, information security, corporate security, HR, legal, audit, and privacy, as well as leadership from lines of business.

The following steps are critical to creating and implementing an effective insider-threat program:

  • Senior executives and business leaders should identify and agree upon what constitutes the organization’s most valuable data and systems, and who is responsible for protecting those assets.
  • Next, organizations should pinpoint where high-value data assets are stored across the enterprise and determine who has access to them.
  • A compilation of technical and non-technical insider-risk indicators is essential. These indicators should be based on an understanding of how insider-threat actors target sensitive data, what telltale signs or evidence would expose their actions, and how the organization should respond.
  • It is also important to determine external threat-actor indicators to help identify the types of adversaries that are likely to target the organization.
  • Employees and managers form the backbone of an effective insider-threat management program because they are often in a position to first notice suspicious behavior or risk indicators. Consequently, ongoing security awareness programs are essential to detecting and deterring threats.
  • Continuous monitoring of high-value data, systems, and activities across the enterprise should be implemented and managed by a dedicated team.

Given today’s elevated threat environment, it’s no longer possible to protect all data at the highest level. But implementing a well-designed insider-threat management program and fusing it with existing security practices can help organizations more effectively detect and rapidly respond to internal risks. And that is increasingly integral to any organization’s cybersecurity program.

Interested in reading more on insider threats? 

Download our white paper: Managing insider threats: Why you need a proactive approach to protecting information assets from authorized users with malicious intent


The Global State of Information Security® is a registered trademark of International Data Group, Inc.


Previous post:

Next post: